From fb1ad76e654f1c02303e83f908899df3460e0534 Mon Sep 17 00:00:00 2001 From: Tim McCormack Date: Sat, 22 Jan 2022 01:53:31 +0000 Subject: [PATCH] fix: Exempt LTI in safe-sessions enforcement This LTI call was failing in unit tests when `ENFORCE_SAFE_SESSIONS` was enabled. I'm not sure why we didn't see failures in production when the toggle was enabled in config. --- lms/djangoapps/lti_provider/users.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lms/djangoapps/lti_provider/users.py b/lms/djangoapps/lti_provider/users.py index eabf821065..7c5a9c88eb 100644 --- a/lms/djangoapps/lti_provider/users.py +++ b/lms/djangoapps/lti_provider/users.py @@ -16,6 +16,7 @@ from django.db import IntegrityError, transaction from common.djangoapps.student.models import UserProfile from lms.djangoapps.lti_provider.models import LtiUser +from openedx.core.djangoapps.safe_sessions.middleware import mark_user_change_as_expected def authenticate_lti_user(request, lti_user_id, lti_consumer): @@ -96,6 +97,7 @@ def switch_user(request, lti_user, lti_consumer): # users by this point, but just in case we can return a 403. raise PermissionDenied() login(request, edx_user) + mark_user_change_as_expected(edx_user.id) def generate_random_edx_username():